Using freeRadius 0.7.1 currently still just testing out the radius server, we have it getting live accounting information, but no authentication. and while looking at the radwho i noticed everything was from tuesday 4pm, and it wasn't updating even though it was getting traffic for accounting still (tcpdump -n port radius-acct)
any ideas what to check? i stopped radiusd, moved the log file and started it again. this is what the head of the log file looks like: Wed Dec 4 12:18:50 2002 : Info: rlm_sql: Driver rlm_sql_mysql loaded and linked Wed Dec 4 12:18:50 2002 : Info: rlm_sql: Attempting to connect to radius@localhost:/testradius Wed Dec 4 12:18:50 2002 : Info: Listening on IP address *, ports 1645/udp and 1646/udp. Wed Dec 4 12:18:50 2002 : Info: Ready to process requests. Wed Dec 4 12:18:50 2002 : Error: Accounting: logout: login entry for NAS UNKNOWN-NAS port 113 not found Wed Dec 4 12:18:51 2002 : Error: Accounting: logout: entry for NAS UNKNOWN-NAS port 1288 has wrong ID Wed Dec 4 12:18:51 2002 : Error: Accounting: logout: login entry for NAS UNKNOWN-NAS port 1810 not foundWed Dec 4 12:18:51 2002 : Error: Accounting: logout: entry for NAS UNKNOWN-NAS port 2057 has wrong ID Wed Dec 4 12:18:51 2002 : Error: Accounting: logout: login entry for NAS UNKNOWN-NAS port 528 not found Wed Dec 4 12:18:52 2002 : Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request on the mysql server (mysql> show processlist;) it shows 5 sleeping connections, and have been sleeping since a few seconds after starting freeradius, so its not that mysql is being bogged down exactly. xosview is taking up the most processing power on the machine right now, cpu peeking at 21% (lows at 1%) radiusd and mysqld rarely show up in top. (heavily trimmed of comments and unused modules) ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.87 2002/03/14 18:47:06 aland Exp $ ## # Stuff from autoconf prefix = / exec_prefix = /usr sysconfdir = /etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radius group = inet max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 checkrad = ${sbindir}/checkrad hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = after lower_pass = after nospace_user = before nospace_pass = after security { max_attributes = 200 reject_delay = 1 } proxy_requests = no $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { # You can have multiple instances of the realm module to # support multiple realm syntaxs at the same time. The # search order is defined the order in the authorize and # preacct blocks after the module config block. # # Two config options: # format - must be 'prefix' or 'suffix' # delimiter - must be a single character # # 'username@realm' # realm suffix { format = suffix delimiter = "@" } # 'realm/username' # # Using this entry, IPASS users have their realm set to "IPASS". realm realmslash { format = prefix delimiter = "/" } realm realmslash2 { format = prefix delimiter = "\\" } # 'username%realm' realm realmpercent { format = suffix delimiter = "%" } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints # This hack changes Ascend's wierd port numberings # to standard 0-??? port numbers so that the "+" works # for IP address assignments. with_ascend_hack = no ascend_channels_per_line = 23 # Windows NT machines often authenticate themselves as # NT_DOMAIN\username # # If this is set to 'yes', then the NT_DOMAIN portion # of the user-name is silently discarded. with_ntdomain_hack = yes # Specialix Jetstream 8500 24 port access server. # If you're not running that NAS, you don't need # this hack. with_specialix_jetstream_hack = no # If you're not running a Cisco NAS, you don't need # this hack. with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } # This module will add a (probably) unique session id # to an accounting packet based on the attributes listed # below found in the packet. see doc/README.rlm_acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } # Include another file that has SQL-related stuff in it. # This is another file solely because it tends to be big. $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp perm = 0600 callerid = "yes" } # "Safe" radutmp - does not contain caller ID, so it can be # world-readable, and radwho can work for normal users, without # exposing any information that isn't already exposed by who(1). # # This is another instance of the radutmp module, but it is given # then name "sradutmp" to identify it later in the "accounting" # section. radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "yes" } # attr_filter - filters the attributes received in replies from # proxied servers, to make sure we send back to our RADIUS client # only allowed attributes. attr_filter { attrsfile = ${confdir}/attrs } # This module takes an attribute (count-attribute), which MUST # be an 'integer' or 'time' attribute. It also takes a key, # and creates a counter for each unique key. The count is # incremented when accounting packets are received by the # server. The value of the increment is the value of the # count-attribute. # # The 'reset' parameter defines when the counters are all reset to # zero. It can be hourly, daily, weekly, monthly or never. # It can also be user defined. It should be of the form: # num[hdwm] where: # h: hours, d: days, w: weeks, m: months # If the leter is ommited days will be assumed. In example: # reset = 10h (reset every 10 hours) # reset = 12 (reset every 12 days) # # The counter-name is the name of the attribute in the 'users' # file used to access that counter. e.g. # # DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject # Reply-Message = "You've used up more than one hour today" counter { filename = ${raddbdir}/db.counter key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } } # Authorization. First preprocess (hints and huntgroups files), # then realms, and finally look in the "users" file. # The order of the realm modules will determine the order that # we try to find a matching realm. # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { preprocess realmslash2 suffix sql } # Authentication. # # This section lists which modules are available for authentication. # Note that it does NOT mean 'try each module in order'. It means # that you have to have a module from the 'authorize' section add # a configuration attribute 'Auth-Type := FOO'. That authentication type # is then used to pick the apropriate module from the list below. authenticate { # sql } # Pre-accounting. Look for proxy realm in order of realms, then # acct_users file, then preprocess (hints file). preacct { suffix files preprocess } # Accounting. Log to detail file, and to the radwtmp file, and maintain # radutmp. accounting { acct_unique counter radutmp sql } # Session database, used for checking Simultaneous-Use. The radutmp module # handles this session { radutmp } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
